Did you know that compliance is one of the fastest-growing areas in the private equity space? Recent surveys indicate that PE compliance spending has rapidly outpaced other PE operating costs with recent estimates indicating that individual PE funds on average spend at least 15 – 20% of their operating budgets on this area. General Partners (GPs) have also significantly stepped up the hiring of private equity compliance related roles.

One of the themes raised in the book is the relationship between liquidity and compliance management. As compared to their hedge fund peers, some have taken the perspective historically that private equity General Partners (GPs) as well as their investors, also called Limited Partners (LPs) have less of an obligation to rigorously manage and analyze compliance. This line of thinking is typically rooted in notions relating to the historical liquidity differences between more liquid hedge funds and less liquid private equity. The argument follows that more liquid assets trade more frequently and therefore, there is more compliance work to be done surrounding areas such as trading compliance. Similarly, with less trades on the private equity side, there is therefore much less trading compliance oversight to be performed. While this may be true, this does not mean that illiquidity removes the obligation for robust compliance management across the board.

Compliance is an umbrella term that encompasses many different categories of compliance management. As we indicated above, one of those categories is the compliance oversight of trading activities. A different area of compliance management relates to the valuation of securities held by a fund. It could be argued that for less liquid holdings, such as private equity, the amount of compliance oversight involved is more complex.

In a hedge fund context examples of these third-parties would be an administrator and prime brokers. On the private equity side, with more illiquid securities there is often a very thinly traded market, if any, for portfolio holdings most of the time. In these cases, it could be argued that there is no complexity at all. Rather, the position is valued at the price it was purchased at (i.e. – cost) and then when it is sold, it is marked at that price. This however, does not take into account the ongoing valuation of the position through its life in the portfolio. This ongoing valuation work requires oversight from compliance to ensure that the GP is not only adhering to whatever specific ongoing valuation requirements are in place for a particular fund but that the GP is also properly documenting these valuations. One common method by which this is accomplished is through a valuation memorandum. In certain instances, perhaps on a quarter-to-quarter basis a GP may feel that valuations may not have significantly changed for a position and therefore, it does not require a new mark. The GP may still have a compliance obligation to produce a valuation memo attesting to this fact. Along the same vein, a private equity fund’s holding in a single position may be relatively small in comparison to the rest of the fund but may grow over time. In this case, once the position breaches a certain pre-determined portfolio size threshold, additional valuation procedures may be triggered. An example of this would be a requirement that the GP engage a third-party valuation consultant for single positions which constitute more than 25% of a fund. The job of the compliance function is to ensure that these valuation obligations are met. as compared to a very liquid portfolio. This line of reasoning argues that in a liquid portfolio priced are readily available from a wide variety of sources. This allows for multiple parties to independently verify the prices of securities.

As these examples demonstrate the duties of compliance in the less liquid world private equity as compared to hedge funds share a number of similarities and differences. While the liquidity of a portfolio does shift the implementation of compliance obligation in areas such as trade and valuation compliance, it does not lessen the importance of compliance in these areas. Both hedge funds and private equity funds can benefit from strong compliance functions, and LP’s in particular can benefit from engaging in active discussion with GP’s surrounding the management and oversight of their compliance programs. To learn more, we invite you to purchase a copy of Private Equity Compliance today.

Have you heard of the General Data Protection Regulation (GDPR)? This new regulation was adopted in April 14, 2016 and comes into effect in May 25, 2018. GDPR will institute major changes for both hedge funds and private equity managers with regards to the way they store and protect data. Those fund managers that are in violation of GDPR are also subject to significant penalties. Have you incorporated GDPR considerations in your ODD reviews? The good news is that it is not too late to start asking about it!

GDPR background:

GDPR is also known as Regulation (EU) 2016/679 of the European Parliament. TheEU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe as well as to protect EU citizens data privacy across the region. The new GDPR regulations bring many revisions and stricter obligations over the previous regulations.

Increased penalties – those organization in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)

Consent – the EU has strengthened the conditions surrounding the requirement for the disclosures regarding the consent given for the use of data to be in plain language and not full of complex legal terminology. Also strengthened are the rules surrounding the ease with which consent can be withdrawn

Breach notifications – notification of any data breaches must be provided within 72 hours of a fund manager first becoming aware of the breach

Right to access – Expanded rights for individuals to be able to obtain clarification as to whether or not personal data concerning them is being utilized, where and for what purpose

Data erasure – Investors in a fund also will have a right under GDPR to have their data forgotten. Investors may also even have the ability to request that third-parties that the funds work with stop processing their data

Data portability – GDPR introduces a new concept known as data portability which is the right for an investor, sometimes referred to as a so-called data subject in the regulations, to receive the personal data concerning them. Investors may also have the right to transmit that data to another entity such as a different fund manager.

Privacy by design and data minimization requirements – these privacy and design concepts are integrated into GDPR and call for data privacy controls to be implemented as part of the initial design of a fund manager’s systems. An additional theme of GDPR is to collect and retain only the minimum amount of data required and limiting access to only essential personnel

Data Protection Officers, Controllers and Processors

GDPR contains a number of technical terms which fund managers must be familiar with in designing their policies and procedures to comply with this legislation. To catch up on terminology, under GDPR there are also entities known as a, “controller.” This is the entity that determines the purposes, conditions and means of the processing of personal data. A data, “processor” is an entity which processes personal data on behalf of the controller. Using this terminology, a fund manager would likely be the controller and third-party fund service providers would be processors.

There is also a requirement under GDPR for a fund manager in the majority of cases to appoint an individual to a position known as a Data Protection Officer (DPO). There are a number of similarities between the role of a DPO and compliance related roles such as a Money Laundering Reporting Officer (MLRO), as

well as the Chief Compliance Officer (CCO) position. Similar to the role of the MLRO and CCO, the DPO may either be an employee of the fund manager or a third-party service provider. Another similarity to the practices typically employed for CCOs, under GDPR is that the DPO role must report directly to the highest level of management, must avoid conflict of interest and have appropriate resources to carry out their tasks. With all of this overlap there may be a tendency for a fund manager to simply add another hat to the already top-heavy role of the CCO by simply assigning them the required DPO title as well. Is this merely providing GDPR the minimum required lip service or will such dual appointments actually address the law’s requirements?

GDPR Operational due diligence considerations

If you haven’t already asked about GDPR during operational due diligence (ODD) – you should start!

In preparing for GDPR, both hedge fund and private equity fund managers must likely integrate their preparatory GDPR work with various departments including compliance, information technology, risk management, and senior management. The ways in which a fund manager has begun to make these preparations will likely be a useful source of information to signal if the manager is both aware of the intricacies of GDPR as well as if they have begun to make the appropriate preparations.

Service provider based GDPR solutions

Similar to the initial implementation of Form PF in the US, there have been a number of information technology vendors and other fund third-party service providers including law-firms have begun to offer GDPR consulting services to hedge funds and private equity funds. The wide variety of services range from technology based data solutions to more traditional compliance and law based consulting. The GDPR related services offered by these firms may overlap with services a hedge fund or private equity manager is currently utilizing from an existing provider. Sorting all this out so as not to provide for a duplication of efforts, either internally at the fund or among multiple service providers, should be part of a fund’s pre-GDPR implementation game plan.

Cloud considerations

Hedge funds and private equity managers are increasingly utilizing cloud based solutions in part for their ease of accessibility, enhanced security and cost efficiency. A consideration for fund managers under GDPR would be if data is stored by a manager on their own cloud or more likely using third-party based cloud solutions. Additionally, a fund’s serviceprovider, such as an administrator or information technology vendor, may store fund related data on the cloud. Alternatively, a vendor engaged by a fund to assist with GDPR but as part of this process may also store fund data on the cloud. This use of the cloud could expose not only the third-party vendor to risk, but also the fund itself to enhanced data security and oversight obligations under GDPR.

UK Brexit considerations

There are also considerations for UK based fund managers facing uncertainty surrounding whether or not the UK will retain GDPR in a post-Brexit environment. While the situation is uncertain, in part based on a history of similar previous UK legislation, such as the UK Data Protection Act of 1998, the UK government has suggested that they any legislation they implement will largely follow GDPR.

EU Privacy Considerations as Funds Expand Technology Based Research

Fund managers, especially hedge funds in particular, have become increasingly creative in their attempts to collect and mine what some call, “alternative data, ”for investmentresearch purposes. Examples of these new types of data collection techniques that have replaced or augmented the traditional store channel checks, have included the use of drones and satellite imagery to monitor retail establishment parking lots, analyzing credit card transaction data, and the monitoring of cell phone signals for geodata to track the volume of visits to locations including hospitals and stores.

This data is often utilized as part of a larger predictive analytical analysis and may also be combined with big data analysis techniques. These new technology based data collection techniques have raised a number of potentially concerning grey areas with regards to the privacy implications surrounding this data including potential implications for violations of insider trading laws.

Under GDPR fund managers will have to ensure that the ways in which they collect and store this information complies with GDPR requirements. Many fund managers may not be collecting this data themselves but instead purchasing it. If that is the case, there are considerations under GDPR relating to the ways in which this data must be made anonymous in a GDPR compliant manner. Understanding the ways a fund manager has designed a strategy to navigate these types of complex data privacy issues, should be asked about during ODD.

Other Key GDPR ODD Questions –

When approaching a fund manager about GDPR during ODD, the first question that should likely be asked is if they believe that GDPR will be applicable to them. If not, have they confirmed this with external counsel? When evaluating a fund’s answer in this regard it should also be noted that GDPR applies not only to EU based fund managers, but also to those that offer funds to EU investors. For example, a US based fund manager marketing its funds in the EU would likely be subject to elements of GDPR.

If GDPR is indeed applicable to a fund, key questions that should be incorporated to the ODD process to address GDPR would include:

What steps have you taken to prepare for GDPR implementation?

Have you worked with any third-party vendor such as compliance consultants or external legal counsel to evaluate you level of GDPR preparedness?

How has the information technology department been involved in preparing for GDPR implementation?

Is there a plan for GDPR considerations to be integrated into ongoing compliance, technology and internal audit testing?

Who will be your DPO? Have you considered the pros and cons of outsourcing this role?

Also, from an ODD perspective it is worth inquiring to see if the fund manager intends to pass through any of the compliance expenses surrounding GDPR implementation directly to any underlying funds. Such direct pass-throughs will likely be frowned upon by investors, but still the increased costs of GDPR compliance may be passed through as a result of increased overall fund expenses for items such as shared servers or software to assist with compliance, which a fund’s investors may end up paying part of.

Where do we go from here?

GDPR is one in a variety of new regulations that will be affect fund managers in 2018. Others include the Markets in Financial Instruments Directive II (MiFID II / MiFIR) and the Packaged Retail and Insurance-based Investment Products (PRIIPs). Taking upfront measures now to evaluate how funds have prepared for these new challenges during the ODD process, before these regulations become effective, will likely offer valuable insights into the overall strength of a fund manager’s compliance program and the level to which they are informed of continued regulatory and legislative developments that can directly impact their bottom line profitability.

While asking a manager how they plan to approach GDPR is certainly a good first step, do you feel you are equipped to appropriately assess their responses? For example, are you up to speed on how are a fund manager’s peers on either side of the Atlantic approaching the situation? Have you surveyed the marketplace to understand if certain fund consultants and technology based solutions shown better aptitude in this area than others? Is your fund working with one of those consultants or systems? Do they plan to? Do you have an understanding as to overall best practices in this area? What about having a dialogue with regulatory agencies as to what their perspectives on the key enforcement areas they may tackle after GDPR takes effect?

These types of questions illustrate the added value a specialist ODD consultant such as Corgentum may be able to bring to the overall ODD process. Why not contact us today to learn how we can assist in evaluating if a fund under ODD consideration is appropriately prepared for GDPR? You might be surprised what you learn if you ask the right questions.

Do you want to stay on top of the latest development in the world of operational due diligence? Why not sign up for Corgentum Consulting newsletter, Due Diligence News?Highlights from the most recent April 2017 edition include: